First be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
There are 5 ways to perform OSPF Route Filtering:
1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database
!!!distribute-list OUT works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and 7!!!
2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database.
filter-list can be applied: IN - into the area, OUT - out of the area
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database)
Can be used with both, "area X range" (ABR) and "summary-address" (ASBR) commands
4. DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10 is an ACL
5. DATABASE-FILTER - If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- PER INTERFACE
(config-router)#neighbor x.x.x.x database-filter all out <- PER NEIGHBOR
Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list.
!!!DISTRIBUTE-LIST only affects the local router!!! Meaning - the Update will be distributed to the other routers, the subnets will only be filtered out the local IP ROUTING TABLE
The advantage is that it's rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- OUT would only work on ASBR TO FILTER LSA5 & LSA7
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database,
and it will be further propagated to the other OSPF Neighbors. The route will therefore appear in the Routing Table,but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
Filter using Distribute List
The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. The advantage is that it's rather easy to implement, and it can filter any type of LSA:
Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- OUT would only work on OSBR TO FILTER LSA5 & LSA7
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to the other OSPF Neighbors.
The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
OSPF filter-list - LSA-3 FILTERING
This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else
(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24
(config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32
Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:
(config-router)#area 2 filter-list prefix JEDANES in
This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or out-from the AREA 2
OSPF "not-advertise" LSA1 & LSA2 FILTERING
If you need to filter LSAs 1 and 2, you can use the "not-advertise" command, but also ONLY ON ABR!
(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise
Tune the ADVERTISED DISTANCE to Filter the Prefix
Another way to filter the OSPF networks is manually setting the distance to 255, which is UNREACHABLE. It's not the most elegant way, but you should know that it's also an option.
Cisqueros_R4(config-router)#distance 255 3.3.3.3 255.255.255.0 10 <--- 10 IS AN ACCESS-LIST WITH THE PREFIXES WE WANT TO FILTER
Filter EXTERNAL OSPF Routes: LSA5 & LSA7
The first way to filter there routes was already mentioned above:
Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST OUT
The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command
(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- MUST BE APPLIED ON ASBR
Filter OSPF per Interface
If you wish to prevent LSAs to be sent via particular Interface:
(config-if)#ip ospf database-filter all out
*ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface
Filter OSPF per NEIGHBOR
Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the "neighbor" command in order to configure the OSPF database filtering:
(config-router)#neighbor 5.5.5.5 database-filter all out
*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)